CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers

CIS 185 CCNP ROUTECh. 7 Implementing Routing Facilities for

Branch Offices and Mobile Workers

Rick GrazianiCabrillo [email protected]

Last Updated: Fall 2010

2

Materials Book:

Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE 642-902 Exam

By Diane Teare Book

ISBN-10: 1-58705-882-0 ISBN-13: 978-1-58705-882-0

eBook ISBN-10: 0-13-255033-4 ISBN-13: 978-0-13-255033-8

At the end of this presentation… Created our broadband connection Configured a floating static route

If Private WAN is down use Internet (ISP) Configured NAT for traffic over Internet

Changes private source IP address for traffic over the Internet

Configured IPsec Want all traffic including LAN-to-LAN to use Internet (ISP) Want to secure LAN-to-LAN traffic between Branch and HQ over the

Internet using IPsec Problem: LAN-to-LAN traffic is being sent over Private WAN

Solution: Modify NAT to create a NAT exemption Problem: IPsec does not support broadcasts and multicasts so cannot

send EIGRP routing updates Solution: Use GRE tunnel – Encapsulate traffic inside a GRE point-

to-point tunnel, then inside an IPsec tunnel Must add GRE tunnel network to EIGRP so all LAN-to-LAN traffic

uses GRE tunnel 3

Lab will reinforce concepts and commands

4

Branch Office Design

5

Branch Office Requirements

There are common requirements that every branch network design needs to address: Connectivity Security Availability Voice Application

6

The challenges when addressing these requirements include the following: Bandwidth and network requirements

Video, voice, and data, and supporting mission critical functions and applications.

Consolidated data centers Centralized security and management control

Mobility The dispersion of the staff coupled with the consolidation of the IT

resources Disparate networks

Branch offices built in isolation running aging and separate voice and data networks.

Management costs Patchwork of network devices in which branch offices often have very

different equipment and architectures.

7

Upgrade Scenario

HQ router routes to the branches using EIGRP as routing protocol Currently no redundancy The branch site also provides basic services:

DHCP NAT

8

When deploying branch services, one must consider how the following trends and considerations affect the implementation plan: Consolidation Integration High availability VPNs as a WAN option

9

Implementation Plan To accomplish the branch office upgrade we will include configurations at

both the branch and the headquarters routers, as follows:Step 1 Deploy broadband connectivityStep 2 Configure static routing Step 3 Document and verify other servicesStep 4 Implement and tune the IPsec VPNStep 5 Configure GRE tunnels

10

Step 1: Deploying Broadband Connectivity

Broadband technologies provide always on access which can support enhanced voice and video services.

Often refers to any connection of 256 Kbps or greater.

11

12

Broadband (FYI)

Broadband: (General) Data transmission using multiplexing methodology to

provide more efficient use of the bandwidth. (Cable) Frequency Division Multiplexing (FDM) of multiple signals

in a wide radio frequency (RF) bandwidth over hybrid fiber-coaxial (HFC) network and the capability to handle large amounts of information.

Frequency Division Multiplexing: FDM is a means by which information from multiple channels or frequencies can be allocated bandwidth on a single wire.

Broadband can include many different connection options, including: Wireless broadband Broadband cable access Digital subscriber line (DSL)

13

Wireless Broadband

New developments in broadband wireless technology include: Municipal Wi-Fi WiMAX Satellite Internet

14

Municipal Wi-Fi Uses a mesh (series) of access points (radio transmitters). Each access point can communicate with at least two other access

points. Signals travel from access point to access point through this cloud

until: Reach a node that has a wired connection to the Internet. Reach a backhaul node

15

WiMAX (Worldwide Interoperability for Microwave Access) - IEEE 802.16 Provides wireless data over long distances Advantages over WiFi, WiMAX operates:

At higher speeds Over greater distances For a greater number of users than Wi-Fi

A WiMAX tower station connects directly to the Internet using a high-bandwidth connection (ex: T3 line or mircrowave).

WiMAX is able to provide coverage to rural areas out of reach of "last mile" cable and DSL technologies.

16

FYI: http://www.wimax.com/general/what-is-wimax WiMAX is a wireless digital communications system, also known as IEEE

802.16, that is intended for wireless "metropolitan area networks". WiMAX can provide broadband wireless access (BWA) up to 30 miles (50

km) for fixed stations, and 3 - 10 miles (5 - 15 km) for mobile stations. In contrast, the WiFi/802.11 wireless local area network standard is limited

in most cases to only 100 - 300 feet (30 - 100m).

17

http://www.wimax.com/general/what-is-wimax

Satellite There are three ways to connect to the Internet using satellites: One-way multicast satellite

Most IP protocols require two-way communication (web pages) Full interactivity is not possible.

18

One-way terrestrial return satellite Traditional dialup access to send outbound data through a modem Receive downloads from the satellite

19

Two-way satellite Satellites are used for sending and receiving data

20

Cable Background Information

Not popular for connecting branch sites Many businesses do not have access to cable because cable TV’s main

customers are residential neighborhoods. Uses a coaxial cable that carries radio frequency (RF) signals across the

network. Primary medium used to build cable TV systems.

21

22

Hybrid Fiber-Coaxial Networks (FYI)

HFC architecture is relatively simple. A web of fiber trunk cables connects the headend (or hub) to the

nodes where optical-to-RF signal conversion takes place. The fiber carries the same broadband content as coax for:

Internet connections telephone service streaming video

Transportation Network

23

Coaxial feeder cables originate from the node that carries RF signals to the subscribers.

The effective range or service area of a distribution network segment (feeder segment) is from 100 to as many as 2000 subscribers.

Transportation Network

Hybrid Fiber-Coaxial Networks (FYI)

24

Step 1 In the downstream path, the local headend (LHE) receives

television signals through the satellite dishes, antennas, analog and digital video servers, local programming and other headends.

The CMTS (cable modem termination system) modulates digital data on an RF signal and combines that RF signal with the TV signals.

Putting it all together (FYI)

RF

RF

25

Step 2 The combined signal is input to a fiber transmitter that converts the

signal from RF to light (optical) and transmits to a fiber node further downstream.

The Fiber Node is located relatively close to the subscribers.

light


26

Step 3 The Fiber Node coverts the light back to RF. RF transmitted over the coaxial network comprised of:

amplifiers Taps drops.

RF


27

Step 4 At the subscriber end:

RF splitter divides the combined RF signal into video and data Cable Modem receives the data portion of the RF signal.

Tuned to the data RF signal channels, demodulates the data RF signal back into digital data and finally passes the data to the computer over an Ethernet or 802.11a/b/g connection.

Cable set-top box receives the video portion of the RF signal.


28

Outbound or Upstream Direction CM decodes the digital information from the Ethernet connection,

modulates a separate RF signal with this digital information. CM transmits this signal at a certain RF power level.

At the headend, the CMTS, tuned to the data RF channels, demodulates the data RF signal back to digital data and routes the digital data to the Internet.


29

DSL Background Information

Several years ago, research by Bell Labs identified that a typical voice conversation over a local loop only required the use of bandwidth of 300 Hz to 3400 Hz.

This was enough of a frequency range for normal voice conversation – low to high.

For many years, the telephone networks did not use the bandwidth beyond 4 kHz.

30

DSL

DSL types fall into two major categories, taking into account downstream and upstream speeds: Symmetrical DSL: Upstream and downstream speeds are the same. Asymmetrical DSL: Upstream and downstream speeds are different.

Downstream speed is typically higher than upstream speed. Term xDSL covers a number of DSL variations. Data rate that DSL service can provide depends on the distance between the

subscriber and the CO. The shorter the distance: the higher the bandwidth available.

31

DSL Variants

DSL Technology

Data Rate Down/Up

Maximum Distance

Nature Data & POTS same time

ADSL 8 / 1 Mbps 18,000 ft. Asymmetric Yes

RADSL Adaptable Adaptable Asymmetric Yes

VDSL 55 / 13 Mbps 4,500 ft. AsymmetricSymmetric

Yes

IDSL 144/144 Kbps 18,000 ft. Symmetric No

SDSL 768/768 Kbps 22,000 ft. Symmetric No

G.SHDSL 2.3/2.3 Mbps 28,000 ft. Symmetric No

32

Data Transmission over ADSL

Three ways to encapsulate IP packets over DSL connection: RFC 1483/2684 Bridged PPP over Ethernet (PPPoE) PPP over ATM (PPPoA)

33

PPP over ATM (PPPoA)

PPPoA used mainly with cable modem, DSL and ADSL services Provides:

Authentication Encryption Compression

Slightly more overhead than PPPoE PPPoA is a routed solution, unlike RFC 1483 Bridged and PPPoE.

Configuring PPPoA

In our scenario, the Internet service provider has provided the branch site with a PPPoA connection to the Internet.

The steps to configure PPPoA on the branch router, where components of both the DSL architecture and of basic branch IP services are required, are as follows:

1. Configure an ATM interface.2. Configure a dialer interface.3. Configure PAT.4. Configure the branch router as a local DHCP server.5. Configure a static default route.

34

ATM and dialer interfaces will establish the ATM virtual circuits and the PPP sessions.

A dialer interface is a virtual interface that is configured as an on-demand component. Up upon successful DSL subscriber authentication.

35

IPATM

ISPRouter

DHCPServer

PVC

CPE

E0/0 ATM0/0

This presentation… Created our broadband connection Configured a floating static route








uses GRE tunnel 36

Here is a high-level overview of the Branch Router configuration

37

The branch router provides DHCP services to users connected to the inside LAN interface.

Users connecting to the inside LAN interface would be provided with a private address from the 192.168.1.0 pool.

38

The configuration specifics of the ATM 0/0 interface and the permanent virtual circuit (PVC) are provided by the DSL service provider.

Notice the combination of the ATM interface dialer pool-member 1 command and the dialer interface dialer-pool 1 commands.

These two commands associate the ATM 0/0 interface to the Dialer 0 interface.

39

The Dialer 0 interface is a virtual interface that initiates PPP connectivity including authentication

Notice that it is also identified as the outside NAT interface.

40

NAT is configured to translate traffic initiated at the LAN port to the IP address of the dialer interface, which is obtained via DHCP from the DSL provider. 41

Notice that the static default route points to the dialer interface.

The routing of traffic to this default route would trigger the dialer interface to activate. 42









uses GRE tunnel 43

Configuring Routing and Floating Static Route

Because PPP, ATM and DSL are beyond the scope of this chapter we will modify our scenario without DSL.

44

Currently, the main connection to the HQ is via the private WAN network because it is configured for routing with EIGRP.

45

EIGRP

What happens if the private WAN link fails? Traffic to the HQ e-mail server or to the Internet would not be possible. By adding floating default static route to the branch router, we can

accomplish resiliency. Whenever the link through the private WAN link fails, the floating would

populate the routing table. When the private WAN reactivates, EIGRP would reroute traffic through the

private WAN.

46

Default

It would seem like this would work but ... This scenario would really not be feasible, because the private addresses of

the branch LAN would be filtered by the ISP router. Therefore, on the branch router, the internal private IP addresses must be

translated via NAT to global public IP addresses.

47

Default

EIGRP









uses GRE tunnel 48

Configuring NAT/PAT for Branch Services

Notice the NAT pool of global IP addresses available on the branch router. Also notice that the Branch server has a static NAT global address

(209.165.200.254). The branch router must be configured to deploy NAT as shown above. There are three generic steps to configuring NAT.

1. Which traffic will be translated2. To what address will it be translated3. Which interfaces are involved in the translation selection

49

interface serial 0/0/1 ip nat outside

interface fastethernet 0/0 ip nat inside

ip access-list extended BRANCH-NAT-ACL permit ip 192.168.1.0 0.0.0.255 any

ip nat pool BRANCH-NAT-POOL 209.165.200.249 209.165.200.253 prefix-length 29

ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL

ip nat inside source static 192.168.1.254 209.165.200.254

50

• Configure the interfaces involved in this particular NAT translation (outside interface is ISP facing interface)

• Translate addresses coming from the branch LAN, regardless of destination.

• The NAT pool of public IP address is defined using the ip nat pool command.

• The NAT pool is named BRANCH-NAT-POOL and identifies a range of valid and available Internet IP address.

• ip nat inside source command: “From BRANCH-NAT-ACL to BRANCH-NAT-POOL”

• Creates a static translation entry in the router, where the inside local address 192.168.1.254 is always translated to the global 209.165.200.254 on the outside.

Other than the static translation to the inside web server, there are no dynamic translations listed in the NAT cache.

51

Displays the number of active translations, which in this case is one static and zero dynamic translation.

Lists the interfaces involved in the NAT translations The specifics of the BRANCH-NAT-POOL in use, including the BRANCH-

NAT-ACL access list used for the traffic to be translated.

52

Telnet from inside Branch LAN to HQ router works (well, if we had a password set on the router)

53

telnet

54




Configured IPsec Want all traffic including LAN-to-LAN to use Internet (ISP) Want to secure LAN-to-LAN traffic between Branch and HQ over

the Internet using IPsec Problem: LAN-to-LAN traffic is being sent over Private WAN




uses GRE tunnel 55

Verifying and Tuning IPsec VPNs

56

So far we have… Broadband connectivity Floating static route NAT

Now we need to secure our LAN-to-LAN Internet links using IPsec VPN tunnels over the Internet as a primary connectivity option (WAN link is too expensive)

The intent of this section is not to provide detailed coverage of IPsec VPNs.

This section is about understanding the impact on routing services and addressing schemes when deploying IPsec VPNs at branch office routers. 57

VPN

IPsec resolves two issues: By default, all the traffic leaving on the public network is in clear text. Need to have LAN-to-LAN traffic travel as if it were over a private WAN

using private IP addresses IPsec provides two significant benefits:

Encryption IPsec encrypts the data exchanged over the public Internet.

Encapsulation Using tunneling technology, IPsec encapsulates the data as it

leaves site, thus protecting its original IP address.

58

VPN

IPsec Technologies

IPsec Encryption

IPsec encryption provides three major services: Confidentiality Integrity Authentication

59

Confidentiality Confidentiality provides encryption during the exchange of the data. Only the recipient in possession of the valid key can decrypt the packets. Uses cryptographic algorithms, such as Data Encryption Standard (DES),

Triple DES (3DES), and Advanced Encryption Standard (AES). Protecting data from eavesdroppers VPNs achieve confidentiality using:

encapsulation and encryption

60

IPsec Encryption

Integrity Integrity provides a check to confirm that the data was not altered during the

transmission. Uses hashing algorithms such as message digest algorithm 5 (MD5) and

Secure Hash (SHA). Data integrity guarantees that between the source and destination:

No tampering or alternation to data VPNs typically use one of three technologies to ensure data integrity:

one-way hash functions message authentication codes (MAC) digital signatures

61

IPsec Encryption

Authentication Provides assurance that the data is exchanged with the rightful party. Provided by signing the results of hashing algorithms Ensures that a message:

comes from an authentic source and goes to an authentic destination

VPN technologies use of several methods for establishing the identity of the party at the other end of a network: passwords digital certificates smart cards Biometrics 62

IPsec Encryption

IPsec Encapsulation

One of the benefits of IPsec is its capability to tunnel packets using an additional encapsulation.

Tunneling is the transmission of data through a public network so that routing nodes in the public network are unaware that the transmission is part of a private network.

Allows the use of public networks to carry data on behalf of users as though the users had access to a private network.

This is where the name VPN comes from.

63

Tunneling: The original packet is encapsulated inside a new IP packet before it leaves the branch office.

64

The VPN routers at Branch and HQ are responsible for this encapsulation and decapsulation tasks (the tunnel).

The IPsec encapsulation process: Adds an additional IP header to the original packet Can performs security functions (confidentiality, integrity, authentication)

65

Host at branch site 192.168.1.10 wants to contact HQ host 10.10.10.10. The link is secured using a site-to-site IPsec VPN. The packet leaves the branch router, this traffic will be flagged as being

interesting so An IPsec VPN (tunnel) is established between the branch and HQ routers.

The two routers negotiate and secure a tunnel that encapsulates the original IP header into another, secure new IP header.

The packet will then be forwarded to the HQ site. Packet arrives at the HQ site:

Decrypts the packet with the correct preshared key Extracting the IP packet Forwards it to the HQ host 66

Configuration commands associated with IPsec VPNs are beyond the scope of this chapter.

We will focus on the commands to verify proper configuration and operation. The details of cryptographic services such as confidentiality, integrity, and

VPN end-point authentication will be transparent to us.

67

IPsec Site-to-Site VPN Configuration To better understand how to verify an IPsec VPN, we must ensure that

certain concepts are understood. The steps to configure an IPsec VPN are as follows:

1. Configure the initial key (ISAKMP) details. 2. Configure the IPsec details.3. Configure the crypto ACL.4. Configure the VPN tunnel details.

68

Complete IPsec configuration for Branch router69

The ISAKMP policy identifies the specifics for the initial key and security parameters exchange

The IPsec details define how the IP packet will be encapsulated and how it will be identified by the named HQ VPN.

The VPN tunnel information is identified in the crypto map named HQ-MAP, which combines the ISAKMP policies, IPsec packet detail, the peer address, and ACL 110.

ACL 110 is the crypto access control list that identifies interesting traffic that will trigger the VPN to activate.

The crypto map is applied to the tunnel interface

ISAKMP Policy

The first stage is to negotiate and exchange credentials (key and security parameters) with a peer.

Uses the protocol called ISAKMP on UDP port 500. The ISAKMP parameters are configured using the crypto isakmp policy This command enables you to specify the following:

Which encryption method to use How the authentication key is exchanged (Diffie-Hellman key size) Which hashing method to use How long of a random number to use when creating unique key strings

between peers How long before these parameters have to be exchanged Configuring the Preshared key 70

IPsec Details

IPsec is the framework that enables a VPN tunnel to be created. Uses crypto ipsec transform-set command to create a transform set (an

acceptable combination of security protocols and algorithms) that the peers will agree on Identifies how the packets will be encapsulated (protected) by identifying

an acceptable combination of: security protocols algorithms other settings

During the IPsec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow. ESP Authentication Transform: ESP with the SHA (HMAC variant)

authentication algorithm ESP Encryption Transform: ESP with the 168-bit DES encryption

algorithm (3DES or Triple DES) 71

VPN Tunnel Information

Next the actual VPN tunnel specifics must be entered. The crypto map command enters a subconfiguration mode where you can

create or edit a named entry that specifies the VPN settings to apply them to an interface.

The crypto map is where you specify the following: Which IPsec transform set to use Which peer router to establish an IPsec VPN tunnel with Which ACL will be used to identify interesting traffic How long the security association should be kept before it is

renegotiated

72

Conceptually, a crypto map is similar to a funnel. You:

Configure the IPsec settings Group them together in a crypto map Then apply the crypto map to the interface

When traffic meets the criteria (interesting traffic defined by ACL or other means): It passes through the funnel Its policies are enforced

Traffic that does not meet criteria configured in the crypto maps leaves the Internet-facing interface unencrypted. 73

VPN ACL – Defining the interesting traffic The crypto ACL is an extended IP ACL that is used to identify the traffic that should be

protected. A permit statement: Results in the traffic being encrypted (uses VPN tunnel) A deny statement: Results in the traffic being sent out unencrypted (does not use VPN

tunnel) Both VPN peers must have reciprocating ACLs.

The branch router requires an extended ACL to identify traffic going from its LAN to the HQ LAN

The HQ router requires an ACL to identify traffic going from its LAN to the branch LAN.74

Apply the Crypto Map Last, the named crypto map must be applied to the Internet-facing interface

that the peering router will connect to using the crypto map interface configuration command.

Once configured, if the traffic matches the ACL, the router will begin the process to encrypt and tunnel traffic across to the VPN peer.

75

Verifying an IPsec VP

show crypto session To display status information for active crypto sessions

show crypto ipsec sa To display the settings used by current SAs

76

Although the ping was successful, it appears that the tunnel is down. Recall that we also implemented NAT. Perhaps this is causing some problems with the IPsec tunnel being created. To test this, we will enable the debug ip nat command and reissue the

extended ping 77

?

78

Again, the pings are successful. Notice, however, that the internal IP address is being translated to a global

NAT IP address, making the source traffic uninteresting – source IP is NOT 192.168.1.0/24 but from the NAT Pookl 209.165.200.249.

Corporate LAN-to-LAN IPsec traffic does not need to be translated by NAT. It should remain private in its path, because it is encapsulated inside another

IP packet. However, NAT can interfere with this process. Because the NAT process takes place before the encryption process,

by the time the traffic arrives at the crypto map ACL, it looks like it is from 209.165.200.248 /29 going to 10.10.10.0.









uses GRE tunnel 79

ACL 110 identifies interesting VPN traffic BRANCH-NAT-ACL identifies traffic to be translated The crypto map ACL 110 is configured to encrypt traffic between 192.168.1.0/24

to 10.10.10.0/24 but… The traffic arrives at the crypto process with a 209.165.200.249 source IP

address So, the crypto map does not encrypt it (does not use the VPN tunnel)

So the current NAT configuration is creating a problem Solution is to create a NAT exemption.

The NAT access list must also identify when traffic should not be translated. 80

Interesting traffic for VPN

Traffic to be translated via NAT

For the NAT process (ACL that identified traffic to translate): a deny line means "do not translate”

Do not translate packets going from Branch LAN to HQ LAN a permit line in an access list means "translate"

Do translate packets to Branch LAN to all other destinations

81

Existing command

NAT exemption

82

The ping is successful, but it appears that NAT still translated the inside LAN address.

Let’s verify the NAT translation …

Notice that the 192.168.1.1 address is still in the NAT cache. This is the cause of our current problem. The NAT translations should be cleared, and only then will the branch router

enforce the new BRANCH-NAT-ACL entries.

83

Now our VPN link has been activated Notice four out of the five pings were successful.

Typical for the initial traffic that initiates the VPN tunnel may time out

84

Verify

85






Solution: Modify NAT to create a NAT exemption Problem: IPsec does not support broadcasts and multicasts so

cannot send EIGRP routing updates Solution: Use GRE tunnel – Encapsulate traffic inside a GRE point-


uses GRE tunnel 86

Impact on Routing A significant drawbacks of an IPsec VPN is that it cannot route multicast

and broadcast packets. Routing protocols (IGPs) such as EIGRP and OSPF that use multicast

packets cannot send routing advertisements through an IPsec VPN. However, IPsec can be combined with Generic Routing Encapsulation

(GRE) to create a tunnel to circumvent the issue with IGP routing within VPN tunnels.

87

Multicast and Broadcast

Configuring GRE Tunnels

There are four options to route dynamic routing protocols through an IPsec tunnel: Point-to-point generic routing encapsulation (P2P GRE) Virtual tunnel interface (VTI) Dynamic multipoint VPN (DMVPN) Group encrypted transport VPN (GET VPN)

In this section, we focus on P2P GRE

88

GRE is a tunneling protocol developed by Cisco Creates a virtual point-to-point link

Common option to use GRE to pass dynamic routing protocol traffic across an IPsec tunnel.

GRE and IPsec: Tunnel Within a Tunnel Does not provide encryption services. GRE is just an encapsulation protocol. Our GRE packets will be encrypted by IPsec

89

GRE TunnelIPsec Tunnel (LAN-toLAN)

EIGRP traffic

Point-to-point GRE encapsulates routing protocols in GRE first Then the GRE packets are encapsulated in IPsec and encrypted.

90

These following three configuration steps will help us accomplish our goal:1. Create tunnel interfaces for GRE.

First configure the tunnel interfaces with GRE encapsulation. Make sure that the tunnel is up and running.

2. Change the crypto ACL to encrypt GRE traffic. Make a change to the IPsec configuration to include GRE traffic to

the crypto ACL. This will cause GRE traffic (routing updates) to be channeled

across the IPsec VPN tunnel like other interesting traffic. 3. Configure routing protocols to route through the GRE tunnel.

Last configure our routing protocol to use the tunnel interface.91

Configuring GRE

92

To avoid errant EIGRP neighbor messages from appearing, remove EIGRP The tunnel IP address is 172.16.100.2 /30, which will serve as the tunnel

destination in the HQ router tunnel configuration. Internet-facing interface on the branch router.

The tunnel source command Used to specify either the source interface or the source IP address We have chosen to specify the IP address.

The tunnel destination address will be the reachable global IP address of the HQ router.

Repeat the preceding configurations on the HQ router The tunnel IP address is 172.16.100.1 /30, which will serve as the tunnel

destination in the HQ router tunnel configuration. Internet-facing interface on the HQ router.

The tunnel source command Used to specify either the source interface or the source IP address

The tunnel destination address will be the reachable global IP address of the Branch router.

Note: GRE over IP is the default for tunnel interfaces (tunnel mode gre ip) 93

Verify the current tunnel interface configuration No traffic is currently using these tunnel interfaces because EIGRP is not

yet aware that it has to use them to communicate. 94

Tunnel is up and up

Tunnel IP address

Tunnel source and destination IP addresses Tunnel protocol is GRE over IP

We must now change the crypto ACL to make the GRE traffic interesting to enable the IPsec tunnel.

Remove the current crypto ACL and replace it We will address the LAN-to-LAN tunnel in a moment.

The new crypto map ACL specifies that whenever the public IP address of the branch router attempts to send a GRE update to the public IP address of the HQ router an IPsec VPN should be enabled.

The reciprocating crypto map is configured 95

Ping the tunnel interface on peer… We should now have basic GRE over IPv4 connectivity. The pings are 80 percent successful, indicating that perhaps the first ping

timed out because of the IPsec VPN being activated. 96

Verify connectivity from the branch LAN to the HQ LAN LANs can no longer reach each other.

97

X

We have the 172.16.100.0 network connected to the Tunnel 0 interface. Still have the default static route we configured earlier pointing to the ISP. However, the branch LAN does not know about the HQ LAN located on

Private address space of 10.10.10.0 /24 via the VPN tunnel.

98

DefaultX

?

Configure EIGRP to propagate the LAN and the tunnel routing information between the sites

LAN-to-LAN traffic will now use the Tunnel, encapsulated by GRE and therefore will use IPsec

Verify 99

This confirms that packets are indeed traversing the IPsec VPN.

100

As you can see, regular traffic (non-LAN-to-LAN and non-router-to-router EIGRP traffic) does not take the GRE over IPsec VPN tunnel

101

GRE Tunnel Summary

102

Summary Created our broadband connection Configured a floating static route








uses GRE tunnel 103

Suggested Readings on VPNs IPsec Virtual Private Network

Fundamentals By James Henry

Carmouche

Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide) By Catherine Paquet

CIS 146 CCNA Security class Instructor: Gerlinde Brady Offered Spring 2011

104

Lab will reinforce concepts and commands

105

106

Planning for Mobile Worker Implementations

Please read this section on your own.

107

The enterprise mobile worker solution provides an always-on, secure, centrally managed connection from multiple global locations to the corporate network.

Possible options: IPsec and Secure Sockets Layer (SSL) VPNs—Establish a secure tunnel over

existing broadband connections to central site. Security—Safeguard the corporate network and prevent unguarded back doors.

firewall intrusion prevention URL filtering services

Authentication—Defines who gets access to resources and is achieved by deploying identity-based network services with authentication using:

AAA servers 802.1X port-based access control Cisco security trust agents

QoS—Quality of service addresses application availability and behavior. Prioritize traffic and optimize the use of WAN bandwidth

Management—Centrally manages and supports the mobile worker connection and equipment, and transparently configures and pushes security and other policies to the remote devices.

108

The following components are required to provide remote access to mobile workers: VPN router (for example, Cisco Easy VPN server) Mobile worker device (for example, Cisco Easy VPN client) IPsec VPN tunnel Internet connectivity

109

The headend VPN router is also known as the Easy VPN server in Easy VPN terminology.

It concentrates the bulk of the remote-end configuration, which "pushes" the policies to the client at the moment of connection.

The remote end, the device used by the mobile worker, is known in Easy VPN terminology as the Easy VPN remote or Easy VPN client.

The Easy VPN remote device starts an IPsec VPN tunnel to connect to the Easy VPN server across the public network.

110

The following steps are required to configure a router as an Easy VPN server:Step 1 Allow IPsec traffic.Step 2 Define an address pool for connecting clients.Step 3 Provide routing services for VPN subnets.Step 4 Tune NAT for VPN traffic flows.Step 5 Verify IPsec VPN configuration.

111

Step 1 Allow IPsec traffic First step is to make sure we are allowing IPsec traffic in our VPN router Router typically is running some sort of firewall service, or at least ACLs to

implement antispoofing mechanisms and other security controls. There are different types of Cisco IOS firewalls:

A classic firewall is based on ACLs - Referred to context-based access control (CBAC).

A zone-based firewall (ZBF) - A more recent approach to implementing the service in routers. 112

show ip inspect command gives you the details on the classic firewall show zone-pair security command gives you the details about the zone-

based firewall

113

show ip interface fa0/1 - There is an inbound access list called FIREWALL-INBOUND applied to interface Fa0/1

114

The access list called FIREWALL-INBOUND, currently configured in R1, could be part of a bigger firewalling strategy

Need to investigate further whether our IOS router is configured to act as a firewall.

115

We have a classic firewall (CBAC) configured inbound on R1. We can also see which access lists are involved in the access control process,

so we can quickly make a note and proceed to change the ACLs to allow IPsec traffic.

The access list is conveniently called FIREWALL-INBOUND, which we looked at earlier.

116

show zone-pair security command on R1, we will see that zone-based firewall has not been configured

117

We know we have a CBAC. Let's add the IPsec support to the ACL (open up the ACL for IPsec).

IPsec uses ESP to provide confidentiality through encryption. ESP, found at Layer 4 of the OSI model, uses protocol 50.

IPsec can also AH if only integrity is required. AH uses protocol 51.

During the first stage of IPsec, peer negotiations and credentials are exchanged using a protocol called ISAKMP, UDP port 500 ISAKMP is one of three components that make up IKE.

Finally, UDP 4500 will need to be opened for NAT Traversal (NAT-T), another IPsec service. 118

Defining Address Pools

Step 1 Allow IPsec traffic.Step 2 Define an address pool for connecting clients.

119

Address pools for these VPN users typically using DHCP. Hosts already have IP address to start with, which allows them to connect to

their IP network But with IPsec tunnels, IPsec VPNs encapsulate original traffic within an

additional packet, to allow that private traffic to be routed across a public network.

So ultimately traffic needs to go between: a private host (located outside of the private network) a private resource

The encapsulation process will use: private addressing in the original (encapsulated) packet public addressing for the "outer" (encapsulation) packet

120

Providing Routing Services for VPN Subnets

Step 1 Allow IPsec traffic.Step 2 Define an address pool for connecting clients.Step 3 Provide routing services for VPN subnets.

Provide effective routing services so that traffic coming from VPN clients can reach internal resources and the return traffic can find its way back to those remote users.

121

VPN subnets, defined by the IP address pools allocated for remote-access clients, are ephemeral.

They appear and disappear as VPN clients connect and disconnect. Several methods, including the following, can be used to make those address pools

known to routers in the internal network: Proxy ARP

Simple method Client on same network a company (http://www.cisco.com/en/US/tech/tk648/tk361/

technologies_tech_note09186a0080094adb.shtml) Reverse route injection

VPN Software Clients inject their assigned IP address as hosts routes. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/

products_configuration_example09186a0080094a6b.shtml Static routes with redistribution (next)

122

One way to provide routing services to remote users is a hybrid solution using static and dynamic features.

This is achieved by creating a static route pointing to the remote-access address pool and then redistributing that particular static route into your routing protocol.

The commands used are ip route and redistribute static metric {metric_value}

Create a static route using the IP route 10.254.254.0 255.255.255.0 192.168.1.2

The static route points to R1 as the next hop, which is 192.168.1.2 This next hop is responsible for initiating and terminating VPN tunnels.

Redistribute the static route into EIGRP It is best practice to use route filters to ensure that only the desired

routes are redistributed. 123

Redistribute

Static

R2 is aware of the remote-access VPN subnet, 10.254.254.0/24. As soon as our VPN clients connect to our corporate network, R2 will be

able to route traffic back to them.

124

Static

Redistribute

Tuning NAT for VPN Traffic Flows

125

Only VPN destinations should bypass translation. All other Internet-bound traffic must be translated.

Traffic originating from any IP address, but with a destination of 10.254.254.0/24, addresses of our remote users, will be denied translation.

All other IP traffic will be subjected to translation.

126

XNAT

CIS 185 CCNP ROUTECh. 7 Implementing Routing Facilities for

Branch Offices and Mobile Workers

Rick GrazianiCabrillo [email protected]

Last Updated: Fall 2010

Documents

CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers